The most successful and lucrative form of marketing, by far, is re-marketing.
That is where you take someone who signed up but is not currently a customer and you target Facebook/Google ads specifically at that email address. I've seen conversion rates as high as 30% and it's typically pretty affordable.
It's such a critical part of marketing that many companies will take a loss on the initial "here is our product, please join" ads just so they can follow up with re-marketing in the weeks/months to come. And because people re-use their email addresses across websites you can target them on Quora, Reddit etc as well.
You can't do any of this without their email.
Just 30%? Pfft. Just wait until they become a customer, and then advertise to them. Bingo, 100% conversion success. Best way to do it? Advert on the conversion page. Customer pays money, you show them an advert, 100% relationship between the advert and conversions, sterling job, and you cut out the middleman because it doesn't need a third party agency to do the placement, so it's affordable even after your fees.
If I didn't have to give an email, I'd probably still use those services, reddit comes to mind, i'm only signing up because i'm interested in the first place.
Having my email and spamming me...sorry, remarketing to me, makes no difference to my retention because I never see it. Providing a quality service I care to use is why I stay with things.
That is scummy as hell and might even get you in trouble when it comes to the GDPR if you're operating in the EU.
If I sign up for your web service the last thing I want is Facebook/Google knowing that fact.
You've signed up for a web service and never seen ads on other sites for it ? Very strange.
Plus, hey.com (from DHH) has seen huge growth without any sort of re-marketing or spy pixels (as he says)
In my view, for most applications, the upside is not really worth that downside. It got me thinking though, are there any clever solutions to do password reset without an email / social media account login / etc? Does anyone know of any good ones?
This gets a little more tricky if you have an unexpired session but want to be able to change your password (which likely requires knowing the existing password), but a request from this logged in session to reset your password should be trustable (unless your "friends" have also stolen your unlocked device).
Similarly, if one or more of your "friends" requests a token / password reset of your acccount, the site should highlight that in a banner on every page you visit, to potentially give you warning to find better friends. (The process for replacing a friend on the site should probably require re-entering your password too, to stop someone that's hijacked your session from picking three sock puppet accounts as your new friends, and resetting your password that way).
Another possibility is requiring a payment with a payment method they’ve used before and then credit their account with the amount. Forcing 3D secure on that transaction should cut down on fraudulent take overs; or at least shift the liability from you, somewhat.
If you have an app, you can also allow them to authorize the password reset from the app on a computer (or vice versa).
Lastly, you could just not have a password to forget. :)
In fact, the more I think about it, there's a paper I saw that can identify users solely by their mouse movements. If you maintained that kind of fingerprinting in game, you could simply ask the user to play a few rounds then offer to reset if they're from a typical IP address. Might work well for this particular website.
Assumes: - people are less likely to lose their PGP key, than random password to a random website. - people have PGP keys - PGP key doesn't contain email address (it does).
Anyway, it would be reliable, and it doesn't need giving third party online service access to all your online accounts.
This is one of the reasons I stopped giving out my primary email address for user signups. I use a service called Blur which allows for unlimited "masked" emails to be created, allowing me to give companies read-only email addresses. In the four years I've had it I have created 378 email addresses. If I'm including the email addresses that I've already deleted, the list gets to 400.
Marketing and the 3000 spam messages I get per month made me do this. It does not have to be this way, but as long as corporations can play fast and loose with my email address I will make sure they never get a real one to begin with.
Edit: Want to add here that I am not in any way sponsored by that company, I've just been using them for years now and think their prices are reasonable.
Everything before the UUID domain is just the name of the service, so something like hackernews@e913ff00...xyz. If someone sells out my email address, I can instantly burn it by just adding a sieve rule since they’re all unique. I even know who sold it based on what name I picked before the @ symbol. This has been working out pretty well for me so far.
To know which provider it was (in case I later get spam from somewhere else), I keep a text-file + email myself any time a new forwarder is set up, so this way I can always look up which service it was.
This way, I was able to spot a leak at box.com and maybe a couple of other places, before it was even announced.
1. What’s the length of the UUID that you use?
2. Haven’t you encountered forms that have shorter email address length limits?
3. Also, wouldn’t such a domain be seen as a spammer/scammer when machine learning starts taking over signup/registration systems?
It's definitely not the whole story, but this is a pretty well-studied thing in psychology. A similar trick in social engineering is to ask your mark for a small favor, which will make them more likely to do you a bigger favor later. I've read about it many times, but can't for the life of me remember what it was called...
From a google search:
Theses 6 principles are reciprocity, consistency, social proof, liking, authority, and scarcity.
Login via Google / Facebook / Whatever is sometimes helpful, but it usually results in SPAM. For example, I logged into Redfin through Google and they immediately started spamming me.
Other times, when I login through Facebook and disable sharing my email, the site that I'm trying to log into has a "mystery error" because the concept of not sharing my email address never occurred to whoever wrote the integration.
Most of the time, I just use a unique email address with each site. My domain has a catch-all email address, so when someone starts spamming it, I know who did it.
Instead of [everything]@example.com, I set up [everything]@yo.example.com. Discovering subdomains is much harder and the one time I encountered a form that didn't like a subdomain, I just made a forwarding address on my main domain.
Using Fastmail's rules, I have a setup where every message arriving to @yo.example.com gets shunted into a folder unless there's a different rule putting it somewhere else.
The spam I've received on my catchall is either based on previously breached sites (which I once signed up to) or to very common mailbox names (e.g. postmaster@, info@). I just add those to an auto-reject postfix filter based on the intended recipient, which keeps my inbox very clean.
Gmail handles the rest.
On the other hand also elderly are or could be moving in this directions. E.g. my mother getting an iPad and apps like Whatsapp have completly changed "computers" for her. From, being mostly a chore that you have to use, to something really useful for getting information and to stay in touch with relatives in other countries
And you really need to be able to recover account access for a paid subscription. It's probably also reasonable to assume that if someone is going to give you a credit card number and address, they're probably OK with giving you an email.
It will give them the cookie again if they re-visit from any IP they've previously used.
It also re-gives them the cookie if they try to pay again with the same credit card.
Support just tells people to try to resubscribe if their subscription has 'vanished' - but it seems to happen to very few customers.
With MakePostSell [1] a customer may add products to their shopping cart and interact with a shop as if they are logged in, but at the point of sale / checkout, we ask them to verify their email.
Instead, give them a searchable FAQ or a wiki and an email address to write to for support. Connect it to a ticket system that autoresponds with a ticket number.
(then you added your second paragraph while I was writing this.)
Eg. help3a2fg@company.com
The support team can figure out which account or anonymous cookie saw that email address.
It's a handy way to still communicate directly with users while holding as little PII data as possible about them.
Sadly though, it appears all these temporary mail domains are in some central list, that data harvesters use to deny access. It's almost impossible to sign up for forum accounts with these. So it's impossible to download files from vinylengine.com unless you allow them to spam you.
One is my actual address that human people who I know have.
The other – referred to as “the sluice” – is everything else. I don’t really care what goes in it. A rule marks it as read as soon as it hits my inbox.
Simple but massively effective. I used to get stressed about spam but now I don’t give a crap.
Edit: also, the sluice mailbox is 2020@mydomain. When it does finally become too much of a cesspit, I'll just kill it and create 2023@...
Edit: I do like the recommendation of showing them the email they're waiting to validate so that they can see typos.
It's an API where you give it the user's email address and they tell you if they think it's real or not. I have it such that if it's not risky I bypass the "verify email" step.
Not sure how long the API will be around and it's pretty slow but for now at least it's free.
There are times when removing email is best, and others where data or business vertical necessitates something different. You still need to verify with your users and do the appropriate testing / analysis / user research.
Your website should allow "demo mode" to make me see what's the value it provides. No way I will go through registration on random pages that fail to immediately make me crave to use them. I ain't got time or will for that.
2) If you want to follow advice of the article, I'd rather not remove email field, but as I wrote before, allow demo mode, and at next step when actually registering the user, put a clear one paragraph sentence saying that you'll not be spamming me with your engagement stuff.
3) If you ask for email, absolutely verify it. There are way too many people who subscribe to all kinds of services using someone else's email. See this thread:
I just checked and I have a bit over 110 domains in my spam list that look like they were added over the years because of this. So I may have under-estimated how often I "blacklist" businesses like this.
https://blog.instapaper.com/post/2318776738
It's interesting to think that times may have changed and that people are hesitant to give out their email addresses anymore, but you are giving up some real benefits by leaving it out.
Anecdotally, i ve observed the opposite too. I don't require email to sign up, but there is an email field further down in the form, and yet 95% people DO enter an email that looks valid, and not just garbage. That said, only 5% clicked on the email verification link , presumably because they don't have to
If you need me to register in order to purchase boots, then something is not ok.
